Skip to content

Instantly share code, notes, and snippets.

@tpowellcio

tpowellcio/ssl_certs.md

Created May 24, 2016 14:30
Show Gist options
  • Save tpowellcio/a66341a99ded09440cf591278db8485e to your computer and use it in GitHub Desktop.
Save tpowellcio/a66341a99ded09440cf591278db8485e to your computer and use it in GitHub Desktop.
Download ZIP
Creating SSL Certs
Raw
ssl_certs.md

#Creating Certificates Reference

  1. From a terminal:
openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
  1. Enter the requested information:
  2. Common Name: The fully-qualified domain name, or URL, you're securing. If you are requesting a Wildcard certificate, add an asterisk (*) to the left of the common name where you want the wildcard, for example *.coolexample.com.
  3. Organization: The legally-registered name for your business. If you are enrolling as an individual, enter the certificate requestor's name.
  4. Organization Unit: If applicable, enter the DBA (doing business as) name.
  5. City or Locality: Name of the city where your organization is registered/located. Do not abbreviate.
  6. State or Province: Name of the state or province where your organization is located. Do not abbreviate.
  7. Country: The two-letter International Organization for Standardization (ISO) format country code for where your organization is legally registered. Note: If you do not want to enter a password for this SSL, you can leave the Passphrase field blank. However, please understand there might be additional risks.
  8. Open the CSR in a text editor and copy all of the text. cat filename.csr
  9. Paste the full CSR into the SSL enrollment form in your account.

Combining your bundle to create a auth key

##Creating a .pem with the Entire SSL Certificate Trust Chain Reference

  1. Log into your DigiCert Management Console and download your Intermediate (DigiCertCA.crt), Root (TrustedRoot.crt), and Primary Certificates (your_domain_name.crt).

  2. Open a text editor (such as wordpad) and paste the entire body of each certificate into one text file in the following order:

  3. The Primary Certificate - your_domain_name.crt

  4. The Intermediate Certificate - DigiCertCA.crt

  5. The Root Certificate - TrustedRoot.crt

Make sure to include the beginning and end tags on each certificate. The result should look like this:

-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: your_domain_name.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: DigiCertCA.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: TrustedRoot.crt)
-----END CERTIFICATE-----
  1. Save the combined file as your_domain_name.pem. The .pem file is now ready to use.

##Creating a .pem with the Server and Intermediate Certificates

  1. Log into your DigiCert Management Console and download your Intermediate (DigiCertCA.crt) and Primary Certificates (your_domain_name.crt).

  2. Open a text editor (such as wordpad) and paste the entire body of each certificate into one text file in the following order:

  3. The Primary Certificate - your_domain_name.crt

  4. The Intermediate Certificate - DigiCertCA.crt

Make sure to include the beginning and end tags on each certificate. The result should look like this:

-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: your_domain_name.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: DigiCertCA.crt)
-----END CERTIFICATE-----
  1. Save the combined file as your_domain_name.pem. The .pem file is now ready to use.

##Creating a .pem with the Private Key and Entire Trust Chain

  1. Log into your DigiCert Management Console and download your Intermediate (DigiCertCA.crt) and Primary Certificates (your_domain_name.crt).

  2. Open a text editor (such as wordpad) and paste the entire body of each certificate into one text file in the following order:

  3. The Private Key - your_domain_name.key

  4. The Primary Certificate - your_domain_name.crt

  5. The Intermediate Certificate - DigiCertCA.crt

  6. The Root Certificate - TrustedRoot.crt

Make sure to include the beginning and end tags on each certificate. The result should look like this:

-----BEGIN RSA PRIVATE KEY-----
(Your Private Key: your_domain_name.key)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: your_domain_name.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: DigiCertCA.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: TrustedRoot.crt)
-----END CERTIFICATE-----
  1. Save the combined file as your_domain_name.pem. The .pem file is now ready to use.

If the file is in binary, for the server.crt, you would use

openssl x509 -inform DER -outform PEM -in server.crt -out server.crt.pem

If this is for a Web server, and you cannot specify loading a separate private and public key, you may need to concatenate the two files. For this use:

cat server.crt server.key > server.includesprivatekey.pem

#Installing onto server Installing Comodo PositiveSSL Certificates on Nginx Certificate Installation: NGINX ##Certificate Installation: NGINX

Needed for this task:

  • PEM encoded certificates (Root, Intermediate(s) and Domain/Device)

##Combine (Concatenate) multiple certificates into one file

Combining the certificates into one file can be accomplished in many ways.

Note: Please be aware that the file names used in this article are for EXAMPLE PURPOSES ONLY! So please modify accordingly to suit your needs based on the type and or product name of the certificate you have. If you're unsure what file names you should be using or have, then please consult our article: Which is Root? Which is Intermediate?

  • If you have the individual certificate files (eg. AddTrustExternalCARoot.crt):

    • Using the 'cat' command (found on Unix and Unix-like Operating Systems):
    • Syntax: cat Device/Entity Cert Intermediates (reverse order) Root > ssl-bundle.crt
    • Example Syntax:
    cat www_yourdomain_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt

  • If you have a .crt and .ca-bundle:

    • Using the cat command (found on Unix and Unix-like Operating Systems):
    • Syntax: cat Device/Entity Cert Bundle
    • Example Syntax: cat www_yourdomain_com.crt www_yourdomain_com.ca-bundle > ssl-bundle.crt

  • Using a GUI based text editor.

    • Copy contents of: 'www_yourdomain_com.crt' into 'www_yourdomain_com.ca-bundle' on top of the existing text.
    • Save new file as ssl-bundle.crt.

##Configure your nginx Virtual Host

  • Move newly created ssl-bundle.crt to where you're saving cert files. e.g. /etc/ssl/certs/

  • Create/modify your website site's configuration file, which may be located in the following:

    • /etc/nginx/sites-available/
    • /usr/local/nginx/sites-available/

  • Ensure it has the following: -- Set 'ssl' to on. -- Set 'listen' to your SSL port; typically 443. -- Set 'ssl_certificate' to the location of your newly created ssl-bundle.crt file. -- Set 'ssl_certificate_key' to the location of your private key.

##Optionally you can set the following: -- ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; #Disables all weak ciphers

-- ssl_protocols TLSv1 TLSv1.1 TLSv1.2# enables TLSv1.0, 1.1, and 1.2 but not SSLv2 or 3 as they are both weak and deprecated. -- ssl_prefer_server_ciphers on; # Specifies that server ciphers should be preferred over client (e.g. browser) ciphers when using SSL/TLS.

Example of an SSL configured Virtual Host for nginx

server {
listen 443;
server_name mysite.com;

ssl on;
ssl_certificate /etc/ssl/certs/ssl-bundle.crt;
ssl_certificate_key /etc/ssl/private/mysite.key;

#enables all versions of TLS, but not SSLv2 or 3 which are weak and now deprecated.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

#Disables all weak ciphers
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

ssl_prefer_server_ciphers on;
}

#Setup https redirect Pitfalls and Common Mistakes

server {
       listen         80;
       server_name    my.domain.com;
       return         301 https://$server_name$request_uri;
}

server {
       listen         443 ssl;
       server_name    my.domain.com;
       # add Strict-Transport-Security to prevent man in the middle attacks
       add_header Strict-Transport-Security "max-age=31536000";

       [....]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment